I want to warn you about multiple security vulnerabilities in plugin Rokbox for WordPress.

These are Cross-Site Scripting, Full path disclosure, Abuse of Functionality, Denial of Service, Arbitrary File Upload, Content Spoofing and Information Leakage vulnerabilities. Rokbox uses TimThumb 1.16 and JW Player 4.4.198, so some of vulnerabilities are related to plugin itself, some to TimThumb (vulnerabilities in which I've disclosed in 2011 and developer fixed them after my informing) and some to JW Player (vulnerabilities in which I've disclosed in 2012 and developer fixed them after my informing).

To CS and XSS in JW Player and FPD are vulnerable all versions of Rokbox for WordPress (Rokbox <= 2.13), but IL and vulnerabilities in TimThumb were fixed. After my informing in August the developers changed TimThumb to phpThumb, so version 2.13 isn't vulnerable to them.

http://site/wp-content/plugins/wp_rokbox/thumb.php?src=http://site&h=1&w=1
http://site/wp-content/plugins/wp_rokbox/thumb.php?src="fixed">http://site.flickr.com&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on)

DoS (WASC-10):

http://site/wp-content/plugins/wp_rokbox/thumb.php?src=http://site/big_file&h=1&w=1
http://site/wp-content/plugins/wp_rokbox/thumb.php?src="fixed">http://site.flickr.com/big_file&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on)

Swf-file of JW Player accepts arbitrary addresses in parameter config, which allows to spoof content of flash - i.e. by setting address of config file from other site (parameters file and image in xml-file accept arbitrary addresses). For loading of config file from other site it needs to have crossdomain.xml.

2012.08.24 - announced at my site.
2012.08.28 - informed developers.
2012.08.29 - developers answered that they will look at it.
2012.12.14 - disclosed at my site (http://websecurity.com.ua/6006/). The developers haven't told me, which holes and in which versions they fixed, but my checking of the last version of RokBox showed that they fixed only part of the holes.